In the news CNS Lecture 6 • Microsoft IE Active X remote code execution • Microsoft powerpoint remote code execution (0-day) Block ciphers -- AES (Rijndael) • MAX OS X multiple vulnerabilities Stream ciphers • OpenSSL ASN.1 remote buffer overflow Key management • gzip, firefox, Adobe flash player, … review
assignment 5 A assignment 6
CNS Lecture 6 - 2
Block cipher modes You are here …
Attacks & Defenses Cryptography Applied crypto • ECB, CBC, CFB, OFB, CTR • Risk assessment� •Random numbers� •SSH • applies to all block ciphers • Viruses� • •Hash functions� •PGP Padding, chaining and IV’s • Unix security� • hide repeated plaintext MD5, SHA,RIPEMD •S/Mime • authentication� • different error/attack properties • Network security •Classical + stego� •SSL Firewalls,vpn,IPsec,IDS •Number theory •Kerberos •Symmetric key •IPsec encryption does not guarantee message integrity!
DES, Rijndael, RC5 •Public key
RSA, DSA, D-H,ECC CNS Lecture 6 - 3 CNS Lecture 6 - 4
Padding, IV’s, and key generation in OpenSSL Block ciphers
• Encryption will pad to block size of cipher (DES: 8 bytes, AES 16) Feistel substitution and permutation – E.g., 3 bytes in � 8 encrypted bytes out, 21 in � 24 out – May want to pre-pad with random “salt” to obscure same message • DES •performance (time/space) vs strength • OpenSSL standard API encryption pads with bytes of IV • Lucifer •large keys – EVP methods pads with byte count (PKCS 5) •strong subkey generation and pre-pends 8-byte magic “Salted__” and 8 byte random salt • blowfish •large blocks – openssl des-cbc: 7 bytes in � 24 encrypted bytes out, 8 bytes in � 32 encrypted •simple operations, non-linear functions (S-box, rotate) bytes out • CAST •iterative, more rounds • Cipher may be attackable if attacker knows IV •resist known attacks (diff./lin.) – Best practice: derive IV from shared secret (asnmt 7) + nonce? •ciphertext should have uniform distribution (look random) – Need different IV when restarting encryption non-Feistel – OpenSSL EVP optionally derives IV from MD5 of key • Converting a password to a key • IDEA – Assignment 7 uses MD5 • RC2, RC5 – OpenSSL EVP_BytesToKey() generates key and IV from password using MD5 • AES (Rijndael) • For non-feistel need invertible operations
CNS Lecture 6 - 5 CNS Lecture 6 - 6
1 AES Mars (IBM) Advanced Encryption Standard Other crypto bake-offs • replace DES Europe: NESSIE • '97 call for algorithms Japan: CRYPTREC • Feistel (1/4, 3/4 rather than even split) – royalty free, publicly disclosed • 8 (unkeyed) pre/post-whitening rounds –128-bit block symmetric key cipher –addition, XOR, and 512x32 S-box (32-bit –key-sizes: 128, 192, 256 words) evaluation criteria • 16 keyed rounds • security –addition, XOR, and S-box, multiplication, • cost/performance (memory, computational efficiency) data-dependent rotations, key addition • architecture -- simplicity, flexibility • S-box: pseudo-random and tested • hardware/software suitability • key schedule: linear transform and S-box, with pattern matching to eliminate weak subkeys • '98 15 candidates keys copied in to T[i] • '99 5 finalists (MARS, RC6, Rijndael, Serpent, Twofish)
CNS Lecture 6 - 7 CNS Lecture 6 - 8
serpent Rijndael
rhine-doll (or rain doll) • substitution-linear transform network • son of Square cipher • non-feistel – need inverse S-boxes and inverse transform • substitution-linear transform network • 256-bit key, 128-bit blocks, 32-bit work unit non-feistel (need inverse) • bit-slice mode • plaintext block (16 bytes) treated as 4x4 array (state array) • • 8 4x4 DES-like S-boxes Linear transform (L) 10/12/14 rounds (128/192/256 key size) – pseudorandom with testing S-box, row shifts, column mixing, key-XOR • key schedule: S-box, constants with XOR, rotates • 32 rounds (most secure, slow) • 16x16 S-box (256 bytes) – XOR, S-boxes, linear transform • For decryption need inverse S-box and inverse mixcol – avalanche after 3 rounds user key wi • Rijndael uses polynomial arithmetic (S boxes and mixcol) 3 2 4 • key schedule: affine recurrence with S-boxes a(x) = a3x + a2x + a1x +a0 mod (x + 1) 8 33 128-bit subkeys coefficients (bytes) ai are in GF(2 )
• RC6 (son of RC5) • Twofish (son of Blowfish)
CNS Lecture 6 - 9 CNS Lecture 6 - 10
Rijndael setup – key expansion Rijndael setup -- S box setup • S-box (and inverse S-box) (256-byte) can be calculated or bytes pre-built (time vs memory) (permutation of all 256 bytes) • Key expansion (16B key � 1 76B subkeys) S-box creation: – g: byte rotate, S-box, XOR with consti – Subkey (4 4-byte words) for each round plus words 1. initialize to 00 … FF one more subkey 2. calculate multiplicative inverse of each element – For AES-128, 11 subkeys (10 rounds + 1) repeat over GF(28) mod x8+x4+x3+x+1 3. transform bits of byte with XOR with constant • Rationale – Resistant to attacks Combine words into subkeys – Round constants eliminate symmetry Example: 97 � 88 – Knowledge of some bits of key or subkey does not help calculating other subkeys • Rationale – Diffusion –Low correlation between input and output bits – Speed – – Can generate subkeys on the fly (time/space) Must be invertible –Step 3 prevents interpolation attacks and eliminates S(a)=a and S(a)=a’ –Only non-linear transform of cipher
CNS Lecture 6 - 11 CNS Lecture 6 - 12
2 16 bytes data/state Encryption/decryption Rinjdael stages
•Byte substitution -- S-box (nonlinear, strength) Encryption is not identical to decryption. Decryption is same sequence of •Shift rows – permutation (diffusion) transformations, but using inverse transforms Change of subkeys needed •Mix columns – substitution using arithmetic over GF(28) Need rounds+1 subkeys -multiplies data array with constant array Note last round has no mixcolumn -multiplication is polynomial multiplication First/last step is add round key … why? mod x4 + 1 over GF(28) -- easy in hardware and fast table-lookup in software (256-entry multiplication table) -each element of a column is function of all the elements of the column (mixing) round •Add round key – XOR with round key (simple Vernam/XOR cipher) data/state key -on 32-bit processor, round transformation can be done in set of table lookups -table lookups contribute to speed of Rijndael and prevent timing/power attacks - Potential for parallelism and each stage is reversible � decryption works
CNS Lecture 6 - 13 CNS Lecture 6 - 14
Rijndael data structures Rijndael round
• 128-bit (16 byte) data block treated at 4x4 byte array
CNS Lecture 6 - 15 CNS Lecture 6 - 16
Row and column transformations Substitute byte and add round key
Row transform •Row 1 -- unchanged •Row 2 – rotate left 1 byte •Row 3 – rotate right 2 •Row 4 – rotate right 1 The row transform shifts column values, the 4 bytes of one column are spread out to four different columns.
Mix column each byte of a column is mapped ⊕ into a new value that is a function of all four bytes in the column. matrix multiply is over GF(28) After a few rounds, all output bits depend on all input bits. CNS Lecture 6 - 17 CNS Lecture 6 - 18
3 Rijndael decryption The mathematics of cryptography
Finite (discrete) mathematics
•Each stage is reversible •Modular arithmetic (shift ciphers, polyalphabets, Hill cipher) alter direction of shift rows •Primes and prime factors, greatest common divisor, BIG integer libraries invert Sbox •Linear transforms (row/column transpositions, linear algebra) Invert mixcolumn (mod x4 + 1) •Exponentiation/discrete logs (D-H, RSA) a(x) = {03}x3 + {01}x2 + {01}x + {02} •Polynomial arithmetic (CRC, AES, LFSR, ECC) a-1(x) = {0B}x3 + {0D}x2 + {09}x + {0E} •Elliptic curves (ECC) •Modified round key pre-calculate when making subkeys
So decryption differs slightly from encryption
CNS Lecture 6 - 19 CNS Lecture 6 - 20
Finite field of dreams Rijndael and polynomial arithmetic
• What we’d like is arithmetic over a finite field –Computers do better with finite (discrete) arithmetic • Rijndael utilizes polynomial arithmetic in two ways (really one) –Field is associative, commutative, etc, with additive inverse, –Invertible arithmetic (finite field) over 8-bit numbers (+ x ) multiplicative inverse invertible S-box –Works for arithmetic mod a prime, e.g (5/4) mod 7 = 3 linear transforms (mixcolumn) –But computer “words” are usually powers of 2, (5/4) mod 8 = � –4-byte arithmetic (constant poly is relatively prime to x4 + 1 ) • Stay tuned … corn fields, wheat fields, Galois fields ☺ Invert mixcolumn mod (x4 + 1) a(x) = {03}x3 + {01}x2 + {01}x + {02}
Polynomial arithmetic used by CRC's, Rijndael, LFSR's, ECC
CNS Lecture 6 - 21 CNS Lecture 6 - 22
Polynomial arithmetic Polynomial arithmetic over GF(2)
Galois fields: finite fields of • addition and multiplication • hardware influence: use coefficients mod 2 order pn, written GF(pn) –Think of each bit as a coefficient (3x4 + 5x2) + (x3 + 6x2) = 3x4 + x3 + 11x2 – addition/subtraction is XOR, multiply is AND • polynomial: x3 + x + 1 is 1011 (3x4 + 2x3) (x +1) = 3x5 + 5x4 + 2x3 (x + 1) (x2 + x) = x3 + x2 + x2 + x = x3 + x • Hardware/software: fast, XOR and table lookups • division: 3x7 + x5 + x2 - 2 divided by x4 -1 equals 3x3 + x with remainder 3x3 + x2 + x – 2
• Coefficients can be integers or mod p (Zp) ((3x4 + 5x2) + (x3 + 6x2) ) mod 7 = (3x4 + x3 + 11x2 ) mod 7 = 3x4 + x3 + 4x2
see CRC reading or Rijndael spec or text Ch 4 and Ch. 5 appendix
CNS Lecture 6 - 23 CNS Lecture 6 - 24
4 Modular polynomial arithmetic over GF(2n) poly arithmetic in GF(28)
• Do polynomial multiplication mod an irreducible polynomial • Extended Euclid algorithm can be used to find the multiplicative inverse • Notion of prime/irreducible polynomials of a polynomial (exists if mod irreducible polynomial) f(x) is irreducible if it cannot be expressed as product of two polynomials GF(28) has 30 irreducible polynomials, Rijndael uses the first one ☺ x8 + x4 + x3 + x + 1
• Primitive polynomials (a subset of irreducible polynomials) generate all elements of an extension field from a base field (used in LFSR) Over GF(2n) there are φ(2n – 1) / n primitive polynomials φ(n) number of elements relatively prime to n (Euler’s totient) n primitive polynomials 1 x+1 2 x2 + x + 1 3 x3 + x + 1, x3 + x2 + 1 4 x4 + x + 1, x4 + x3 + 1 (x4 +x3 + x2 + 1 is irreducible but not primitive) Result: (x7 + x + 1)-1 = x7 or 10000011 x 1000000 = 00000001 CNS Lecture 6 - 25 CNS Lecture 6 - 26
modular polynomial arithmetic over GF(23) Modular poly arithmetic comparison (3-bit)
Finite field GF(23) – only two irreducible polynomials: x3 + x2 +1 x3 +x + 1
Addition is just XOR
mod x3 + x + 1 See previous slide
Multiplication is just shift and XOR (5/4) mod 8 =( 5 * 4-1 ) mod 8 Multiplication by x (010): shift left, if bit shifted out is 1 XOR in 011 � no solution Every element has a multiplicative inverse If m(x)= x3 +x + 1 then x3 mod m(x) = m(x) – x3 = x+1 ↔ 011 Now 5/4 has a solution ☺ = 2
CNS Lecture 6 - 27 CNS Lecture 6 - 28
Rijndael poly arithmetic CRC’s and polynomial arithmetic -- sidebar 10011 1010100011010101 •CRC is remainder in dividing message by polynomial data stream Think of message as long string of bits (polynomial) •Can be implemented with XOR’s, shifts, and a table lookup 3 2 1 0 bytes •Coefficients of polynomial in GF(28) represented by 8-bit number (byte) ⊕ register Fast in hardware. in C •Addition of two polynomial is just XOR of the two 8-bit numbers r=0; while (len--) r = (r<<8) ^ t[(r >> 24) ^ *p++]; 0 (x6 + x4 + x2 + x +1) + ( x7 +x + 1) = x7 + x6 + x4 + x2 • 01010111 + 10000011 = 11010100 CRC polynomials chosen to detect “common” errors table •Multiplication is more complicated (need modular reduction), but still is just •All single bit errors 255 •All 2-bit errors shifts and XORs 1. Shift the register left by one byte, 8 4 3 Rijndael prime poly: x + x + x + x + 1 •N-bit errors bursts reading in a new message byte. For multiplication by x, a shift and XOR in 00011011 •Worry about what errors are not detected? 2. XOR the top byte just rotated out of •Some popular CRC polynomials: the register with the next message Mixcolumn does modular poly multiply mod (x4 + 1) (e.g. 4 bytes, each in GF(28)) 16 bits: byte to yield an index into the table 3 2 4 ([0,255]). ( {03}x + {01}x + {01}x + {02} ) mod (x + 1) (16,12,5,0) X25 standard x16 + x12 + x5 + 1 3. XOR the table value into the (16,15,2,0) "CRC-16“ but it is implemented as multiply and add on GF(28) register. 32 bits: 4. Goto 1 iff more message bytes. (32,26,23,22,16,12,11,10,8,7,5,4,2,1,0) Ethernet CNS Lecture 6 - 29 CNS Lecture 6 - 30
5 Rijndael in C Rijndael/AES in OpenSSL
/* BC byte count rk round key S sbox*/ • Command line (uses EVP mode, prepend magic and salt, pad with byte count) /* plaintext in a */ aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb KeyAddition(a,rk[0],BC); aes-256-cbc aes-256-ecb openssl aes-256-cbc -in plain.txt -out enc.dat -pass pass:boo /* ROUNDS-1 ordinary rounds */ • API for(r = 1; r < ROUNDS; r++) { #define AES_BLOCK_SIZE 16 int AES_set_encrypt_key(const unsigned char *userKey, const int bits, Substitution(a,S,BC); AES_KEY *key); ShiftRow(a,0,BC); int AES_set_decrypt_key(const unsigned char *userKey, const int bits, MixColumn(a,BC); AES_KEY *key); KeyAddition(a,rk[r],BC); void AES_cbc_encrypt(const unsigned char *in, unsigned char *out, const unsigned long length, const AES_KEY *key, } unsigned char *iv, const int enc); enc is either AES_ENCRYPT or AES_DECRYPT /* Last round is special: there is no MixColumn */ Substitution(a,S,BC); Result of encryption will be rounded up to a multiple of block size (16) ShiftRow(a,0,BC); with IV padding. (e.g., you encrypt 3 bytes, you get 16 bytes out) KeyAddition(a,rk[ROUNDS],BC); IV will be updated. You need to set up the key specifically for encryption and again for decryption, since AES has a different key schedule for encryption and decryption
CNS Lecture 6 - 31 CNS Lecture 6 - 32
example AES and java (see ~dunigan/cns06/aes.java) #include
static const unsigned char key16[16]= {0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0, // Get the KeyGenerator 0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12}; unsigned char iv[16],tmpiv[16]; KeyGenerator kgen = KeyGenerator.getInstance("AES"); kgen.init(128); // 192 and 256 bits may not be available main() SecretKey skey = kgen.generateKey(); { char out[4096],in[4096], *str="123456789abcdefghij"; byte[] raw = skey.getEncoded(); AES_KEY aeskey; SecretKeySpec skeySpec = new SecretKeySpec(raw, "AES"); int lth; // Instantiate the cipher lth = strlen(str) + 1; Cipher cipher = Cipher.getInstance("AES"); strncpy(in,str, lth); cipher.init(Cipher.ENCRYPT_MODE, skeySpec);
AES_set_encrypt_key(key16,128,&aeskey); byte[] encrypted = memcpy(tmpiv,iv,sizeof(iv)); cipher.doFinal((args.length == 0 ? AES_cbc_encrypt(in,out, lth, &aeskey, tmpiv,AES_ENCRYPT); "This is just an example" : args[0]).getBytes()); AES_set_decrypt_key(key16,128,&aeskey); memcpy(tmpiv,iv,sizeof(iv)); //reset IV System.out.println("encrypted string: " + asHex(encrypted)); AES_cbc_encrypt(out,in, sizeof(out),&aeskey, tmpiv,AES_DECRYPT); printf("%s\n",in); }
See ~dunigan/cns06/aes.c and assignment 7
CNS Lecture 6 - 33 CNS Lecture 6 - 34
Rijndael in hardware AES selection criteria
• 8-bit processor (smartcard) • security –addroundkey is a bytewise XOR • software implementations C/java, 8/32/64-bit processors –shiftrows is byte rotates • ROM/RAM requirements –subbytes is table lookup (256 byte table) • hardware implementations ASIC/FPGA –mixcolumns is XORs and a table lookup (256 byte table) • instruction-level parallelism • 32-bit processor • speed –Operate on 32-bit words rather than bytes • susceptibility to timing/power attacks –4 table lookups and four XORs per column per round (fast) • encryption vs decryption –Need 4 256-word (1024 byte) tables • key agility (switch keys quickly) • Can trade off memory space for computation time • versatility (block/key/round sizes)
CNS Lecture 6 - 35 CNS Lecture 6 - 36
6 AES assessment Choosing AES (Table from Twofish Paper) • high security: mars, serpent, twofish • software: rijndael good 8-64, rc6 good, serpent slow
• key sched: rijndael fast, twofish slow Speed Speed Safety Simplicity • space: rijndael/serpent good. mars not. Cipher (32) (8) Factor (code size) • hardware: serpent/rijndael good. mars average. Serpent 62 69 3.56 341 KB • attacks: serpent/rijndael good. twofish ok. rc6/mars bad MARS 23 34 1.90 85 KB enc/dec: twofish, mars, rc6 good. rijndael ok. serpent last. RC6 15 43 1.18 48 KB • key agility: twofish/serpent good. rijndael ok. rc6 last. • parallelism: rijndael best. Rijndael 18 20 1.11 98 KB
Twofish 16 18 2.67 104 KB • Votes: rijndael(86), serpent(59), twofish(31), rc6(23), mars(13) (cycles/byte encrypt)
CNS Lecture 6 - 37 CNS Lecture 6 - 38
Rijndael AES evaluation Rijndael AES evaluation cont.
CNS Lecture 6 - 39 CNS Lecture 6 - 40
AES vs DES Whirlpool (hash function)
• Uses AES-like encryption function (W) to mix bits • Can you match the DES steps with the Rijndael steps? –Based on polynomial arithmetic but fast (shift’s and XOR’s) –Added to OpenSSL 0.9.9 • 512-bit hash (faster than SHA-512) DES steps Rijndael • More secure? … test of time Generate sub-keys Shift-rows Permutations Mix column XOR sub-key with right half Byte substitution XOR f() (S-box) with right half Add round key Swap left and right Generate round keys
DES: substitution & permutation (tuned only for hardware) AES (Rijndael): substitution & linear transform
CNS Lecture 6 - 41 CNS Lecture 6 - 42
7 AES and whirlpool hash Block cipher advances
• Variable key length • Mixed operators (non-linear) (Bent functions) • Key/Data-dependent rotations (RC5) • Key-dependent S boxes (blowfish) • Round-dependent functions • Whitening (XOR key material before first round and after last round) • Complex sub-key generation (blowfish) • Variable block lengths and rounds and substitution • Operate on both halves (blowfish/RC5) • Mitigate linear/differential cryptanalysis • Optimized for hardware/software
CNS Lecture 6 - 43 CNS Lecture 6 - 44
Block cipher summary CCM – encryption and authentication
• Use 128-bit encryption (AES) to do both authentication and substitution/permutation encryption in one pass using same key (RFC 3610, NIST 800- 38C) • 64-bit or 128-bit blocks • • DES Use AES-CBC to calculate authenticator over message and – small key � (use 3DES) nonce (e.g., message number) – test of time • Append authenticator to message – widely available • Use AES in counter mode to encrypt message and authenticator – S boxes are strength • • IDEA -- optimized for hardware/software Two encryptions per message block • blowfish -- key-dependent S-boxes, fast • Many parameters to select, prepend mode to message • RC5 -- input-dependent rotations • Used in 802.16 (wireless MAN, WiMAX) • CAST -- nonlinear S-boxes, round-dependent functions • • Rijndael – S-boxes, optimized for hardware/software , Though it is best practice to use different key for authentication AES winner ☺ and encryption, it’s OK here to use one key because of “shared” nonce Need key,padding, IV, and ECB/CBC/OFB/CFB/CTR • Remember encryption does not provide authentication
CNS Lecture 6 - 45 CNS Lecture 6 - 46
Stream ciphers Encryption with a hash function • (pre) compute a (pseudo) one-time pad (keystream)
• encrypt a byte/bit at a time (telecomm) b1 = Hash(key, IV) – ⊕ � XOR plaintext with keystream Pi Ki Ci bi = Hash(key,bi-1) Decrypt C ⊕ K � P i i i • ⊕ keystream == pseudorandom number generator ci = pi bi • efficient in hardware • pi = ci ⊕ bi • much theoretical analysis (LFSR's) • why IV? why use key each time? • faster than block ciphers (hardware) • synchronous (independent of plain/cipher), pad/OFB • stream cipher (byte at a time) • asynchronous (feedback) CFB • exportable • easily misused � • examples (many proprietary) • used by RADIUS/TACACS+ – one-time pad • error properties: – hash PRNG's – OFB/CFB (can make a block a stream) –change a bit in ci ? – PKZIP –lose a ci? – RC4 (in 802.11, PPTP, Lotus Notes, CDPD, SQL, ssh,WORD/Excel) – A5 (3 LFSR's) in Europe's GSM cell phone, US cellular ORYX 3 32-bit LFSRs – E0 (4 LFSR's) for bluetooth
CNS Lecture 6 - 47 CNS Lecture 6 - 48
8 Stream cipher from a block cipher RC4
trademark of RSA • used in several products (WEP, SSL, WORD) • fast • synchronous, 8x8 S box (evolves) OFB fill S box with 0 to 255 and take key K j=0 for i = 0 to 255 // rearrange Sbox according to key
j = (j + Si + Ki) mod 256 swap Si and Sj
//stream generation i,j=0 while (true) i = (i+1) mod 256
j = (j+ Si) mod 256 swap Si and Sj // rearrange Sbox t = (Si + Sj) mod 256 b = St XOR plain/cipher text byte with b • Either OFB or CFB mode or CTR • Can pre-compute key stream in OFB or CTR CNS Lecture 6 - 49 CNS Lecture 6 - 50
LFSR keystream Combining LFSR’s
linear feedback shift registers • efficient in hardware (shift XOR) Alternating step generator Shrinking generator • where to tap (connection polynomial) select R or R based on R select R only when R outputs a 1 • full period (2n - 1) if polynomial is x17 + x 15 + 1 2 3 1 2 1 primitive mod 2 • example, x4 + x +1 (1,0,0,1) • n-bit "key" is initial setting (seed) • can solve single LFSR, so use several • shrinking generator -- use output of 1 0 0 1 first LFSR to select/drop bit of 2nd LFSR • GSM's A5 uses XOR of 3 LFSRs • US cellular ORYX 3 32-bit LFSRs
applet animation
CNS Lecture 6 - 51 CNS Lecture 6 - 52
GSM A5 SNOW
• Version 1 weak, version 2 better • LFSR (16x32 bits) plus finite state machine (FSM) • 32-bit operations /output • 8x8 bit S box • 128 or 256 bit key • 3 LFSR’s with periods (19,22, and 23 � 64-bit key) • 128-bit IV x19 + x5 +x2 + x + 1 x22 + x + 1 x23 + x16 + x2 + x + 1 • Output “clocked” by majority function from taps at 8, 10, and 10 – Clocked means register is shifted with its new feedback input • Without clocking, period would be (219 – 1)(222 – 1)(223 – 1), but experiments show really only 4/3 (223 – 1) • Only 70% of seeds produce different keystreams
CNS Lecture 6 - 53 CNS Lecture 6 - 54
9 LFSR summary Stream ciphers
• Byte or bit based
• Efficient in hardware (LFSR) based on XOR ci = pi ⊕ si • The ultimate: ONE-TIME PAD, everything else repeats � • Hash-based PRNG’s are good approximations • TROUBLE if you re-use the key stream! • Fast/simple in hardware –If plaintext/ciphertext pair known, you have the keystream •Subject to correlation attacks with known plaintext –If PRNG period too short (WEP/RC4 GSM), key stream will repeat •Need non-linear combinations –If you have multiple plaintext’s encrypted with same keystream (Microsoft Excel/WORD), you can XOR ciphertexts and with word/character •Use “secret” connection polynomial (ci) frequencies derive plaintexts P1i ⊕ P2i see Dawson/Nielsen Polynomial arithmetic over GF(2n) used in Rijndael, CRC’s, ECC, and LFSR’s Use a block cipher if you can.
CNS Lecture 6 - 55 CNS Lecture 6 - 56
Performance (MBs) Choosing a cipher MD5 204 Snake oil RIPEM 53 SHA 73 Panama 302 • depends on application • pseudo-mathematical gobbledygook – • IDEA 19 unique in-house developed incremental base shift algorithm type: stream or block Skipjack 20 – virtual matrix of binary values which is infinity in size in theory • block mode: CBC, ECB, OFB, CFB, CTR DES 21 – utilizes DGNT bulk encryption method • compact (smart card) 3DES 10 • new mathematics -- chaotic functions, neural nets, zeta functions RC5 59 • revolutionary breakthrough • strength (key length, lifetime, test of time) Blowfish 64 • proprietary crypto -- trust us • license? Rijndael 62 • extreme cluelessness -- unbreakable • availability/portability RC4 113 • ridiculous key lengths • one-time pads • performance 2.1GHz pentium 4 • unsubstantiated claims – “ scientifically acclaimed ... military grade” • error properties (mods/losses) – you need separate integrity check (hash) • security proofs – “ proved as secure as a one-time pad ” • tested, widely used • exportable • “not broken by Tom’s cns06 students” • Worry about padding and IV – cracking contests don't guarantee security • OpenSSL: DES, 3DES, DESX, blowfish, AES, RC4, Cast • don't build your own or buy snake oil
CNS Lecture 6 - 57 CNS Lecture 6 - 58
PAIN Key management
Does symmetric key encryption provide: • key generation • Privacy? • key length • Authenticity? • key lifetime, archiving • • Integrity? key distribution • Non-repudiation? • Availability? PKI (later) • Virus protection? • PKI issues (later) • key recovery • protecting keys
CNS Lecture 6 - 59 CNS Lecture 6 - 60
10 Key generation Key length
Size matters choose strong keys • depends on value of information and resources of attacker • passwords/phrases • depends on lifetime of secrets –length • assume algorithm perfect, then brute force –mixture: upper, lower, special, numerics • one more bit of key, doubles attacker's work factor (exponential) type lifetime key lth bits –good generator/verifier tactical military minutes 56-64 –dictionary attacks product announce days 64 business plan years 64 • random keys trade secrets decades 112 –unpredictable nuclear secrets 40 yrs 128 spy IDs 50 yrs 128 –random sources (keystrokes, system info, /dev/random) personal info 50 yrs 128 –mixing (MD5, X9.17) • 128-bit key: – using all the computers in the world, and if they could do a million watch out for rand() encryptions/sec, it would take a million times the age of the universe! (AES key sizes: 128, 192, 256)
CNS Lecture 6 - 61 CNS Lecture 6 - 62
Brute force key attacks Brute force
symmetric key • equivalent resistance to attack (key length in bits) Symmetric Public • time and cost 56 384 • software, FPGA, ASIC 64 512 • hacker, corporate, government 80 768 • 40-bit key: $400 FPGA, 5 hours 112 1792 128 2304 • EFF DES cracker $250K, 3 days ref. Schneier • DES key breaking ($1M/4 hr.) within budget of large corporation or criminal organization • public key vulnerable to improvements in factoring algorithms • $300M, DES keys in 12 seconds (or discrete logs) • 75-bit, $10M/6 yrs, $300M/70 days • recommend 75-90 bit keys today , 128
CNS Lecture 6 - 63 CNS Lecture 6 - 64
Key lifetime Updating keys
• lifetime is a function of keylength (work factor for brute force) • Kerberos/PEM/PGP/PKI include ticket/key lifetime fields • the more a key is used, the greater the loss if compromised • password aging • the longer a key is used, the more likely it will be compromised • public keys, typically 2 yrs max • lifetime of info (message, signature, file) • may need key archive (key id with material), or re-key material • amount of data encrypted can determine lifetime • archive CRL's too (PKI Certificate Revocation List …later) –bad guy accumulates ciphertext for cryptanalysis • risk in distributing new keys –for DES, don't send more than 238 bits under the same key –need (secure) key renewal, key update protocol at 1 Gbit/sec, 5 minutes –Perfect forward secrecy (don’t use old key to generate/send new key) • key hierarchy (master key, session key) –Use master key only to encrypt temporary session keys
CNS Lecture 6 - 65 CNS Lecture 6 - 66
11 Key distribution KDC
How to get keys (code books, one-time pads) to the end users? key distribution center
• courier � • N2 keys for N nodes – Codebook (enigma) get key of the day –one for every pair � • secret keys -- out of band, splitting • KDC: • third party generates key and delivers to A and B –Just N KDC keys for N users • KDC (Kerberos/DCE) -- must be secure –KDC generates session key for Bob and Alice, sends • key update using old key �or key encrypting key/master key ☺ it to them encrypted with their respective KDC key • ISAKMP/Oakley, SKIP, Photuris (IPsec) –KDC must be secure set up key on behalf of application • • Diffie-Hellman (perfect forward secrecy) protocol for requesting session key • public key cryptography • More on key distribution when we look at Kerberos
CNS Lecture 6 - 67 CNS Lecture 6 - 68
Key recovery Key escrow the NSA way
key recovery is when I can find out my key. Key escrow is when you can find out my key. Escrowed Encryption Standard (EES)
• good business sense • FIPS 185 • permit decrypting bad guys messages • key escrow • key would be split in half –Clipper chip – big brother � • two government agencies would hold halves • –clipper III -- and export carrot court order would allow gathering two halves • inducement: US let you use bigger key, if you use EES ! • commercial recovery (Entrust) • bad public relations • secret sharing (m,n) threshold –rushed announcement, which agencies? –not pre-released to security community – split secret into n parts (n > m) –not clearly justified –any m of them can be used to reconstruct secret –no provision for review by Congress, public,... –several algorithms (Schneier) (Shamir: m-degree polynomial) • Clipper chip – an implementation • part of a PKI? -- encrypt message key with CA's key too?
CNS Lecture 6 - 69 CNS Lecture 6 - 70
Clipper chip skipjack
• Alice and Bob create a session key k (Diffie-Hellman, KEA,…) • NSA encryption for Clipper chip (FORTEZZA) • clipper encrypts message M with Skipjack Ek(M) • algorithm secret (til '98), hardware tamper-resistant • LEAF is transmitted with encrypted message • Law Enforcement Agent's Field (128 bits) reviewed by panel of experts • strength not dependent on secrecy of algorithm
Ef(Eu(k),id,ac) • design started in '85 • evaluation completed in '90 – f secret family key (chips know, Key Escrow Decrypt Processor knows ) • specs – id is chip id (32b) iterative block cipher – ac authentication code (16b)(used by receiving chip to verify authentic LEAF) receiver won’t “decrypt” if LEAF is “bad” 64-bit block – u chip-specific key 80 bit key u = k1 ⊕ k2 is split between two agencies � given K1 and k2, construct u 32 rounds, XOR 4x16 bit shift register/counter with 4-round Feistel using 8x8 • MYK-80 1MB/sec (includes hardware random generator) S box • Example, telephone encryptor, link encryptor, FORTEZZA card • e.g, wiretap captures encrypted message and LEAF, court order gets you k1 and k2
CNS Lecture 6 - 71 CNS Lecture 6 - 72
12 Protecting keys Where to encrypt?
• link layer don't PostIt • encrypting modem, net board (wireless) • • transparent,fast one-time passwords or encrypted channel (ssh) • suitable for private net • encrypt private key • protects only one link (pt-to-pt) • info may be exposed in OS • key renewal network/transport layer • swIPe, IPv6(IPsec) • worry about trojan horses, keyboard sniffers • transparent • selectable (policy) • strong protection of KDC and CA's • appl./host/net keying • works over public net • strong protection of backups • virtual private network (VPN) • system layer: encrypting file systems (EFS/CFS) • tamperproof hardware application layer – • end-to-end over public net token/Fortezza card • custom applications (PGP, ssh, ssl) – CA Certificate Signing Unit (CSU) • intrusive, but flexible • API for application development • key for every logical circuit
CNS Lecture 6 - 73 CNS Lecture 6 - 74
Traffic analysis review
encrypted traffic threats Attacks & Defenses Cryptography Applied crypto • Risk assessment� •Random numbers� •SSH • covert channels • Viruses� • who's talking to whom •Hash functions� •PGP • Unix security� • frequency, event correlation MD5, SHA,RIPEMD •S/Mime • quantity, length, patterns of messages • authentication� • countermeasures • Network security •Classical + stego� •SSL – padding messages Firewalls,vpn,IPsec,IDS •Number theory •Kerberos –continuous/random traffic •Symmetric key� •IPsec
DES, Rijndael, RC5 •Public key
RSA, DSA, D-H,ECC CNS Lecture 6 - 75 CNS Lecture 6 - 76
Review Next time … Lectures 1. Risk, viruses 2. UNIX vulnerabilities Mid-term • Lectures 3. Authentication & hashing 4. Random #s classical crypto part 1: take-home (analysis of MISTY1 cipher), work on your own 5. Block ciphers DES, RC5 6. AES, stream ciphers RC4, LFSR see midterm (class7.html) 7. MIDTERM � part 2: in class (open book/notes/…) next Tuesday, you’ll need your textbook 8. Public key crypto RSA, D-H 9. ECC, PKCS, ssh/pgp 10. PKI, SSL 11. Network vulnerabilities 12. Network defenses, IDS, firewalls 13. IPsec, VPN, Kerberos, secure OS 14. Secure coding, crypto APIs 15. review
http://www.cs.utk.edu/~dunigan/cns06/midrvw.txt
CNS Lecture 6 - 77 CNS Lecture 6 - 78
13